WORM_AUTORUN.BUK

Malware type: Worm

Aliases: Worm.Win32.AutoRun.dcw (Kaspersky), W32.SillyFDC (Symantec), TR/VB.bia (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via removable drives


Infection Channel 2 : Copies itself in all available physical drives


Description: 

This worm may be dropped by other malware. It may arrive bundled with malware packages as a malware component. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates folders. It drops copies of itself. It drops files/components.

It creates registry entries to enable its automatic execution at every system startup. It employs registry shell spawning so that it executes when files of certain types are run. It does this by creating registry entries.

It creates and modifies registry key(s)/entry(ies) as part of its installation routine.

It drops copies of itself in all physical drives and in all removable drives.

For additional information about this threat, see:

Description created: Jun. 5, 2008 9:56:41 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 225,280 Bytes

Initial samples received on: Jun 2, 2008

Details:

Arrival Details

This worm may be dropped by other malware. It may arrive bundled with malware packages as a malware component. It may be downloaded unknowingly by a user when visiting malicious Web site(s).

Installation

This worm creates the following folder(s):

  • C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-
    101B-9F08-00AA002F954E}

It drops the following copy(ies) of itself:

  • C:\WINDOWS\Fonts\Fonts.exe
  • C:\WINDOWS\Fonts\tskmgr.exe
  • C:\WINDOWS\Help\microsoft.hlp
  • C:\WINDOWS\Media\rndll32.pif
  • C:\WINDOWS\PCHEALTH\Global.exe
  • C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpHost.com
  • C:\WINDOWS\system\KEYBOARD.exe
  • C:\WINDOWS\system32\dllcache\Default.exe
  • C:\WINDOWS\system32\dllcache\Global.exe
  • C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-
    101B-9F08-00AA002F954E}\Global.exe
  • C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-
    101B-9F08-00AA002F954E}\svchost.exe
  • C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-
    101B-9F08-00AA002F954E}\system.exe
  • C:\WINDOWS\system32\dllcache\svchost.exe
  • C:\WINDOWS\system32\drivers\drivers.cab.exe
  • C:\WINDOWS\system32\regedit.exe

It drops the following file(s)/component(s):

  • C:\WINDOWS\Cursors\Boom.vbs - detected by Trend Micro as VBS_AUTORUN.DMS
  • C:\WINDOWS\Fonts\wav.wav
  • C:\WINDOWS\system32\dllcache\autorun.inf
  • C:\WINDOWS\system32\dllcache\rndll32.exe
  • C:\WINDOWS\system32\dllcache\tskmgr.exe

Autostart Techniques

This worm creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
(Default) = "C:\WINDOWS\system32\dllcache\Default.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run
sys = "C:\WINDOWS\Fonts\Fonts.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run
(Default) = "C:\WINDOWS\system\KEYBOARD.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
(Default) = "C:\WINDOWS\system32\dllcache\Default.exe"

It employs registry shell spawning so that it executes when files of certain types are run. It does this by creating the following registry entry(ies):

HKEY_CLASSES_ROOT\MSCFile\Shell\Open\Command
(Default) = "C:\WINDOWS\Fonts\Fonts.exe"

HKEY_CLASSES_ROOT\regfile\shell\open\command
(Default) = "regedit.exe %1 C:\WINDOWS\pchealth\Global.exe"

It enables its automatic execution whenever a certain application is run. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\auto.exe
Debugger = "C:\WINDOWS\system32\drivers\drivers.cab.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\autorun.exe
Debugger = "C:\WINDOWS\system32\drivers\drivers.cab.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\autoruns.exe
Debugger = "C:\WINDOWS\system32\drivers\drivers.cab.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\boot.exe
Debugger = "C:\WINDOWS\Fonts\fonts.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\ctfmon.exe
Debugger = "C:\WINDOWS\Fonts\Fonts.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\msconfig.exe
Debugger = "C:\WINDOWS\Media\rndll32.pif"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\procexp.exe
Debugger = "C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger = "C:\WINDOWS\Fonts\tskmgr.exe"

(Note: The paths indicated are hard-coded in this worm's body.)

Other System Modifications

This worm creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CLASSES_ROOT\comfile
NeverShowExt = "1"

HKEY_CLASSES_ROOT\exefile
NeverShowExt = "1"

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = "C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\
System\Scripts\Logoff\0\0
Script = "C:\WINDOWS\Cursors\Boom.vbs"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\trial version\trial
date1 = "{Malware's execution date}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\system
DisableStatusMessages = "1"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Control Panel\Desktop
AutoEndTasks = "1"

(Note: The default value data for the said registry entry is 0.)

HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveTimeOut = "30"

(Note: The default value data for the said registry entry is {User Defined}.)

It modifies the following registry entry to hide files with hidden and system attributes for systems running Windows 98, ME, and XP:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced
ShowSuperHidden = "0"

For systems running Windows NT, 2000, and Server 2003, it creates the following registry entry as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\SuperHidden
ValueName = "ShowSuperHiden"

Propagation via Physical/Removable/Floppy Drives

This worm drops copies of itself in all physical drives and in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The file AUTORUN.INF contains the following strings:

[autorun]
Open=MS-DOS.com
Shellexecute=MS-DOS.com
Shell\Open\command=MS-DOS.com
Shell\Explore\command=MS-DOS.com

Affected Platforms

This worm runs on Windows 98, ME, and XP.

Analysis By: Michael Cabel

Revision History:

First pattern file version: 5.320.07
First pattern file release date: Jun 05, 2008

SOLUTION


Minimum scan engine version needed: 8.300

Pattern file needed: 5.543.00

Pattern release date: Sep 15, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as WORM_AUTORUN.BUK.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP, and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>
    RunOnce
  3. In the right panel, locate and delete the entry:
    (Default) = "C:\WINDOWS\system32\dllcache\Default.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    Policies>Explorer>Run
  5. In the right panel, locate and delete the entry:
    sys = "C:\WINDOWS\Fonts\Fonts.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    Run
  7. In the right panel, locate and delete the entry:
    (Default) = "C:\WINDOWS\system\KEYBOARD.exe"
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
    RunOnce
  9. In the right panel, locate and delete the entry:
    (Default) = "C:\WINDOWS\system32\dllcache\Default.exe"

Removing Other Malware Entries from the Registry

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_CLASSES_ROOT>comfile
  2. In the right panel, locate and delete the entry:
    NeverShowExt = "1"
  3. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile
  4. In the right panel, locate and delete the entry:
    NeverShowExt = "1"
  5. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>Desktop
  6. In the right panel, locate and delete the entry:
    SCRNSAVE.EXE = "C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"
  7. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Policies>Microsoft>
    Windows>System>Scripts>Logoff>0>0
  8. In the right panel, locate and delete the entry:
    Script = "C:\WINDOWS\Cursors\Boom.vbs"
  9. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>VB and VBA Program Settings>
    trial version>trial
  10. In the right panel, locate and delete the entry:
    date1 = "{Malware's execution date}"
  11. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>policies>system
  12. In the right panel, locate and delete the entry:
    DisableStatusMessages = "1"
  13. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>auto.exe
  14. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\system32\drivers\drivers.cab.exe"
  15. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>autorun.exe
  16. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\system32\drivers\drivers.cab.exe"
  17. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>autoruns.exe
  18. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\system32\drivers\drivers.cab.exe"
  19. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>boot.exe
  20. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\Fonts\fonts.exe"
  21. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>ctfmon.exe
  22. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\Fonts\Fonts.exe"
  23. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>msconfig.exe
  24. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\Media\rndll32.pif"
  25. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>procexp.exe
  26. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"
  27. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
    CurrentVersion>Image File Execution Options>taskmgr.exe
  28. In the right panel, locate and delete the entry:
    Debugger = "C:\WINDOWS\Fonts\tskmgr.exe"
  29. For systems running Windows NT, 2000, and Server 2003, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>
    CurrentVersion>Explorer>Advanced>Folder>SuperHidden
  30. In the right panel, locate and delete the entry:
    ValueName = "ShowSuperHiden"

Restoring Registry Entries

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Control Panel>Desktop
  2. In the right panel, locate the entry:
    AutoEndTasks = "1"
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    "0"
  4. In the right panel, locate the entry:
    ScreenSaveTimeOut = "30"
  5. Right-click on the value name and choose Modify. Change the value data of this entry to:
    {User Defined}
  6. For systems running Windows 98, Me, and XP, in the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>
    CurrentVersion>Explorer>Advanced
  7. In the right panel, locate the entry:
    ShowSuperHidden = "0"
  8. Right-click on the value name and choose Modify. Change the value data of this entry to:
    1
  9. Close Registry Editor.

Addressing Registry Shell Spawning

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

This procedure prevents the malware from executing whenever a user opens files with certain extension names. It should restore the registry to its original settings.

  1. Click Start>Run.
  2. In the Open input box, type:
    command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
  3. Press Enter.
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>MSCFile>Shell>Open>Command
    HKEY_CLASSES_ROOT>regfile>shell>open>command
  5. In the right panel, locate the registry entry:
    Default
  6. Check whether its value is the path and file name of the malware file.
  7. If the value is the malware file, right-click Default and select Modify to change its value.
  8. In the Value data input box, delete the existing value and type the default value:
    "%1" %*
  9. Repeat this procedure for the following registry key(s):
    • HKEY_CLASSES_ROOT>MSCFile>Shell>Open>Command
    • HKEY_CLASSES_ROOT>regfile>shell>open>command
  10. Close Registry Editor.
  11. Click Start>Run, then type:
    command /c del regedit.com
  12. Press Enter.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    C:\WINDOWS\Fonts\wav.wav
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.
  5. Repeat steps 2-4 for the following file(s):
    C:\WINDOWS\Fonts\wav.wav
    C:\WINDOWS\system32\dllcache\autorun.inf
    C:\WINDOWS\system32\dllcache\rndll32.exe
    C:\WINDOWS\system32\dllcache\tskmgr.exe

Deleting the Malware Folder(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.

Deleting Malware-created AUTORUN.INF/s

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    AUTORUN.INF
  3. In the Look In drop-down list, select a drive, then press Enter.
  4. Select the file, then open using Notepad.
  5. Check if the following lines are present in the file:
    [autorun]
    Open=MS-DOS.com
    Shellexecute=MS-DOS.com
    Shell\Open\command=MS-DOS.com
    Shell\Explore\command=MS-DOS.com
  6. If the lines are present, delete the file.
  7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
  8. Close Search Results.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_AUTORUN.BUK and VBS_AUTORUN.DMS. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.